How to visualize tcpdump with GraphViz ?

Let's assume, you want to visualize your network's map/structure.
How could you get it? Well.. there're plenty ways. For example, you can use
Gephi, Scapy and other tools and scripts. Or you can do it by yourself :)

I'll show you one of such ways - how to visualise tcpdump output
with help of GraphViz and bash only.

What do we have?

Suppose, all you have - a tcpdump log. You could get it from wherever you want,
all you can make it by yourself.

What do we need?

We need a graph of network:

PCs (identified by IP) are nodes

If one PC sended data to anothere - nodes should be connected

We should get something like this:

A bit of theory

We would use:

tcpdump

graphViz

bash

If you are already familiar with with these technologies, you could skip next 2 chapters ;)

Tcpdump

tcpdump - utility to dump traffic on a network. There're plenty of tutorials how to work with it
(one, two, three).
I will show only the most basic and common commands.

Basic args

-i any : Listen on all interfaces just to see if you're seeing any traffic.

-i eth0: Listen on eth0 interface.

-n : Don't resolve hostnames.

-nn : Don't resolve hostnames or port names.

-X : Show the packet's contents in both hex and ASCII.

-v, -vv, -vvv : Increase the amount of packet information you get back.

-c x : Only get x number of packets and then stop.

-S : Print absolute sequence numbers.

-w file.pcap : save the packet data to a file.pcap for later analysis. Data will be saved in binary mode, so you could later get ALL nedeed info from such file.

-r file.pcap : read from a saved packet file.pcap rather than to read packets from a network interface. You could also specified any needed options, like -n, -v, -S and so on.

-t : Don't print a timestamp on each dump line.

Basic usage

tcpdump -nS -i eth0 : see the basics info without many options

tcpdump -nnvvS -i eht0 : see a good amount of traffic, with verbosity and no name help

Let's Code it!

Going back to the original problem, I think you already know what we need to do:

Parse a tcpdump log and grep all IPs

Put them into file with graphviz-dot-syntax

Render an image

Profit!

Parse script

There're some existing solution for this problem, like this or this one,
but in my case (if you already have a tcpdump log to visualize) they were too complex
or didn't work at all. So, I write it by myself.